OpenSSL v3 invalid token #641
Comments
|
Come to think of it - between the last snappymail test (2.20.2) and now dovecot has been rebuilt against openssl 3 - so thats another change - could that have anything to do with it you think? All the usual mail apps don't seem to care so didn't think it mattered but thought best to mention for completeness. php is vers is 8.1.12 (as of oct 29) thanks for any guidance |
|
Probably author forgot to provide release archive files (snappymail-2.20.5.{tar.gz,zip}). |
|
I improved token error handling but forgot to test and remove param. |
|
Should work now with v2.20.6 |
|
Just tried 2.20.6 - still have same problem being unable to login - same user/pass as always - I still get 'invalid token' popup over login auth screen. |
|
I get |
|
I've also been getting "invalid token" for the last couple of days. It might be a coincidence, but the behaviour started when I updated OpenSSL from 1.1.1 to 3.0.7 on my Arch Linux system. Updating snappymail to 2.20.6 did not help. When trying to log in to the admin panel, I'm seeing the same behaviour that @alabre describes in #632 (comment)_ This is what appears in my snappymail logs after a failed login as a regular user: |
|
Json decoder throws error, because the data contains control character. When you install sodium in php, does that solve the issue? |
|
Yes indeed, enabling sodium did the trick. It was already installed but not enabled in my php.ini. Thank you! |
|
Good workaround! I will wrap up some code for OpenSSL testing because more people with OpenSSL 3 will get errors. |
|
I enabled it in php.ini and still see this error: SnappyMail\Crypt::opensslDecrypt(): $data or $iv is empty string in /usr/share/webapps/snappymail/snappymail/v/2.20.6/app/libraries/snappymail/crypt.php on line 63" I have libsodium installed but not php-sodium .. maybe I need that too? |
|
yes you need that too |
|
yah ok that did it ... (and restarting php-fm). |
|
Could you also tell your value of |
|
where is application.init? |
|
If its this one: snappymail/data/data/default/configs/application.ini |
|
For me it's encrypt_cipher = "aes-256-cbc-hmac-sha1" |
|
which file is that @dertinger |
|
sounds like a weak one to me ... |
It's the one from the path you mentioned |
|
thanks - something I should add perhaps |
|
should we close this one or do you want to keep it open while you tweak openssl bits? |
|
Keep open as the OpenSSL issue is not solved yet. I now do have a test script to use with SnappyMail root index.php <?php
$_ENV['SNAPPYMAIL_INCLUDE_AS_API'] = true;
require __DIR__ . '/index.php';
header('Content-Type: text/plain');
$data = \random_bytes(2048);
$key = \random_bytes(16);
foreach (\SnappyMail\Crypt::listCiphers() as $cipher) {
echo "{$cipher} = ";
try {
\SnappyMail\Crypt::setCipher($cipher);
$iv = \random_bytes(\openssl_cipher_iv_length($cipher));
$encrypted = \SnappyMail\Crypt::OpenSSLEncrypt($data, $iv, $key);
$decrypted = $encrypted ? \SnappyMail\Crypt::OpenSSLDecrypt($encrypted, $iv, $key) : '';
} catch (\Throwable $e) {
$decrypted = '';
}
echo (0 === \strcmp($data, $decrypted) ? 'ok' : 'FAILED') . "\n";
} |
Ref: the-djmaze/snappymail#641 The sodium extension must be enabled in php.ini or similar configuraton file.
|
Yo, package maintainer for AUR package of snappymail here. I've just pushed a fix adding |
|
I've made changes to the handling of the OpenSSL cipher setting. This does have impact when switching from OpenSSL v1 to v3, but the login should work. I've also added additional logging when encryption fails. |
|
Can someone with OpenSSL v3 run above script and provide the output so that i can compare it? As I don't have OpenSSL v3 anywhere at the moment. |
|
Sure PHP Warning: openssl_cipher_iv_length(): Unknown cipher algorithm in /usr/share/webapps/snappymail/test.php on line 13 |
|
part 2 is stdout aes-128-cbc-cts = FAILED |
|
Awesome, i've added them to filter out the FAILED options. |
|
quick question - for some reason I can no longer login to admin panel - I want to change from starttls to SSL - (imap on 993, smtp on 465) - in the domain ini file - i currently use "TLS" - what do I change it to to get SSL ? |
|
I meant the 2 settings: imap_secure nd smtp_secure |
|
I just realized that CardDAV sync is still broken for OpenSSL reasons even after the fix for the login issue. Syncing used to work until the OpenSSL update. This is what the log says after an attempt to sync contacts with my Radicale server: |
|
I've moved my last comment regarding CardDAV to a new issue #674 so we can leave this one closed. |
The new release tar asset has different url than earlier ones - it was under ../releases/downloads/.. .now its ../refs/tags/ and doesn't look like release.php was run - maybe I'm wrong. Version file is 0.0.0 which usually gets the release version after release.php is run.
Anyway - I ran release.php - and installed - but it fails to let me login - i get 'invalid token'
Maybe its me but any suggestions to fix the invalid token thing would be appreciated.
The text was updated successfully, but these errors were encountered: